Target CEO Gregg Steinhafel to step down following data breach

Target says that about 40 million credit and debit card accounts may have been affected by a data breach that occurred just as the holiday shopping season shifted into high gear. (AP Photo/Damian Dovarganes)

Target Corp. Chief Executive Officer Gregg Steinhafel, dogged by questions over whether the company responded quickly enough to a data breach last year, will step down as chairman, president and CEO.

John Mulligan, Target’s chief financial officer, will serve as interim CEO while the company seeks a permanent replacement, according to a statement today. Board member Roxanne Austin will be interim chairwoman.

Steinhafel had been working to regain customers’ loyalty after hackers stole card data and personal information from tens of millions of shoppers during the holiday season. Beth Jacob, who had served as Target’s top technology officer during the breach, stepped down in March.

After the attack became public in December, during the height of the holiday shopping season, it harmed Target’s reputation and fourth-quarter sales. The company’s U.S. comparable-store sales decreased 2.5 percent in the period. Target is slated to report its latest quarterly results later this month.

Target shares fell as much as 3.3 percent to $59.98 in early trading. Before today, the stock had declined 12 percent in the past 12 months.

“The board is confident in the future of this company and views this transition as an opportunity to drive Target’s business forward and accelerate the company’s transformation efforts,” the directors said in the statement.

Early clues

In March, Target told a Senate panel that it had clues about the attack weeks before responding and was exploring why it took so long to react. Sometime after intruders entered Target’s systems on Nov. 12, their activities were detected and evaluated by security professionals, according to remarks Mulligan submitted to the panel. The company was later alerted to suspicious activity by the U.S. Justice Department, leading to an internal investigation that confirmed a breach on Dec. 15.

“We are asking hard questions about whether we could have taken different actions before the breach was discovered that would’ve resulted in different outcomes,” Mulligan said at the time. “In particular, we are focused on what information we had that could have alerted us to the breach earlier; whether we had the right personnel in the right positions; and ensuring that decisions related to operational and security matters were sound.”

Lawmaker criticism

Several senators criticized Target’s management for not reacting sooner to warnings from sophisticated anti-hacking systems. The Senate Committee on Commerce, Science and Transportation, which prepared a report ahead of the hearing, found that Minneapolis-based Target appeared to have missed opportunities “to stop the attackers and prevent the massive data breach.”

The board said today that Steinhafel held himself personally accountable for the breach and “pledged that Target would emerge a better company.” Steinhafel, who spent 35 years at Target, had been CEO since 2008. He will remain an adviser to the company during the transition.

Steinhafel is entitled to severance payments, Target said in a separate filing today. The maximum payment for executives who involuntarily leave the company is two times base salary and the average of the last three years of short-term incentive and personal performance payments, a previous filing shows.

The company also has hired the recruitment firm Korn Ferry to advise the board.

Target isn’t the only retailer to have had its systems attacked in the past year. Luxury department-store chain Neiman Marcus Group Ltd. said in January that about 1.1 million credit cards may have been compromised in a data breach. Days later, arts-and-crafts retailer Michaels Stores Inc. said some customer payment-card data may have been used fraudulently.